You know how to send my signal — Setting up RFCat from scratch

RFCat is firmware/python-client combination written by “atlas”. This software takes the once-limited TI CC1111EMK and broadens its abilities. Taken from the GrrCon page (where you can buy it for $110 pre-flashed and ready for you to use out of the box) describes RFCat as:

@Signed, flashed RfCat USB Radio Dongle (based on Chipcon CC1111EMK-868-900), making the opacity of Proprietary protocols into transparency and capacity for attack

Capable of transmitting/receiving/snooping/SpectrumAnalysis on frequencies between 300-928MHz and more (officially 315, 433, 868, 915MHz ranges, but we’ve seen more than that) using modulations 2FSK, GFSK, MSK, ASK, and OOK and baud rates 0 – 250kbaud

Good question. Well, if you are a Software Defined Radio enthusiast like me, this is an excellent tool for testing the robustness of radio protocols on various embedded devices. Since this piece of hardware transceiver with the modulation, etc. taken care of for you, this is the perfect device for helping with your every day exploration of radio signals.

Enough chit-chat. Below I have mapped-out how I “made” my un-flashed CC1111EMK into a fully-functional RFCat dongle. It cost me about $80 going this route; saving a little bit of cash, learning a lot through trial and error, and having the ability to re-flash my device again when a RFCat firmware comes out made this venture worth it.

Plug the other end of the ribbon cable (again, in the correct direction or the chip won’t be recognized) onto the 10 prongs for the SmartRF

Plug the SmartRF into another USB port on your Windows 7 box

Download and extract the RFCat folder onto your desktop

Start up the SmartRF Flash Programmer software you installed earlier

The software may ask you to update the firmware for your SmartRF — go ahead and do this by clicking “OK”, selecting “Program Evaluation Board” from the top dropdown, and then clicking “Update EB Firmware”

Click the “Program CCxxxx SoC or MSP430” from the dropdown box at the top

Make sure that the Chip Type appears as well as the EB type after loading up your flash programmer. At this point, we need to navigate to your root RFCat folder and point “Flash image” to the following file: rfcat_130515\firmware\bins\RfCatDonsCCBootloader-130515.hex and under “Actions”, select “Erase, program and verify”. Click “Perform actions”.

Repeat the above with the second file after you hear Windows reconnecting your device. At this point, your dongle should still have a solid green light. Flash image: rfcat_130515\firmware\bins\RfCatDons-130515.hex but this time, be sure to select “Write protect boot block”. Click “Perform actions” once again.

Remove the debug cable from the now flashed RFCat device (CC1111EMK) and remove it from the USB as well.

Make sure you have python-usb and libusb installed on your box. You can perform this installation on OSX by running brew install package_name_here or apt-get install package_name_here for Debian-based distributions of Linux.

Compile RFCat by running: sudo python setup.py install

Create a new file located here: /etc/udev/rules.d/20-rfcat.rules with the following lines:

Assuming that everything appeared and worked up to this point as described, I can think of two things that it could be: try a different USB port on your box, or maybe one of your wires is mixed up for the resetting portion of the SmartRF? I went through an issue where I had my order backward due to not very good markings on the board. Let me know if you have any other details.